From a7f934325a3a4f8ca0dd35e5aaf38d309c46da00 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Tue, 22 Aug 2017 20:23:01 -0400
Subject: Harden /var

---
 etc/bitlbee.profile    |  1 +
 etc/disable-common.inc | 12 ++++++++++++
 etc/server.profile     |  2 ++
 3 files changed, 15 insertions(+)

(limited to 'etc')

diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile
index 0b61e7b9f..1b7b2c258 100644
--- a/etc/bitlbee.profile
+++ b/etc/bitlbee.profile
@@ -7,6 +7,7 @@ include /etc/firejail/globals.local
 
 noblacklist /sbin
 noblacklist /usr/sbin
+noblacklist /var/log
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index c220b9c50..294ff6bcb 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -107,15 +107,27 @@ blacklist ${PATH}/zuluCrypt-cli
 blacklist ${PATH}/zuluMount-cli
 
 # var
+blacklist /var/cache/apt
+blacklist /var/cache/pacman
+blacklist /var/lib/apt
+blacklist /var/lib/clamav
+blacklist /var/lib/dkms
 blacklist /var/lib/mysql/mysql.sock
 blacklist /var/lib/mysqld/mysql.sock
+blacklist /var/lib/pacman
+blacklist /var/lib/systemd
+blacklist /var/lib/upower
+blacklist /var/log
 blacklist /var/mail
+blacklist /var/opt
 blacklist /var/run/acpid.socket
 blacklist /var/run/docker.sock
 blacklist /var/run/minissdpd.sock
 blacklist /var/run/mysql/mysqld.sock
 blacklist /var/run/mysqld/mysqld.sock
 blacklist /var/run/rpcbind.sock
+blacklist /var/run/screens
+blacklist /var/run/systemd
 blacklist /var/spool/anacron
 blacklist /var/spool/cron
 
diff --git a/etc/server.profile b/etc/server.profile
index 04ef555de..edd4666e1 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -13,6 +13,8 @@ blacklist /tmp/.X11-unix
 
 noblacklist /sbin
 noblacklist /usr/sbin
+# noblacklist /var/log
+# noblacklist /var/opt
 
 include /etc/firejail/disable-common.inc
 # include /etc/firejail/disable-devel.inc
-- 
cgit v1.2.3-54-g00ecf